H0lyGh0st Ransomware: Watch This Unholy Threat “Meet Its Maker” (Video)

A North Korean ransomware threat, known as “H0lyGh0st,” boasts of helping the poor by attacking businesses and demanding payment for a file decryption key. Although this threat actor claims a “Robin Hood” style purpose of closing the wealth gap by taking from the rich, its attack pattern reveals a less than “holy” mission.

The group behind H0lyGh0st started targeting organizations with ransomware in June 2021. Targets include small and medium-sized businesses that are likely running on minimal budgets for security. Multiple variants of H0lyGh0st have been developed since its inception, each with increased functionality and malicious intent.

It's possible that the threat actor responsible for H0lyGh0st has a connection to global geopolitical activity. First tracked by Microsoft under the name “DEV-0530,” this actor is believed to have ties with PLUTONIUM, a North Korean threat group that has been active since 2014. H0lyGh0st and PLUTONIUM share the same infrastructure, along with custom malware controllers that have similar names. H0lyGh0st has also been found communicating with known PLUTONIUM email accounts.

Victims of H0lyGh0st ransomware infection risk more than just financial burdens. This threat can cause significant corruption of data and reputational damage, regardless of whether the victim pays the ransom.

H0lyGh0st Ransomware Is No Match for BlackBerry Defenses

Watch our demo video below to experience a H0lyGh0st attack as it takes place in real time, and to see how BlackBerry prevents it using the cloud-enabled endpoint detection and response (EDR) solution CylanceOPTICS®, in concert with CylancePROTECT®, the Cylance® AI-powered endpoint protection platform (EPP).

DEMO VIDEO: BlackBerry vs. H0lyGh0st Ransomware

Learn more about H0lyGh0st in our deep-dive blog, North Korean H0lyGh0st Ransomware Has Ties to Global Geopolitics.

Figure 1 – CylanceOPTICS tracks each step H0lyGh0st takes in the system, providing real-time detection and prevention information.

Figure 2 – CylancePROTECT prevents H0lyGh0st from accessing the target system, stopping the attack before it occurs.

BlackBerry Protects Against H0lyGh0st Ransomware

CylancePROTECT provides automated malware prevention, application and script control, memory protection, and device policy enforcement. CylanceOPTICS extends threat protection by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, and smart threat hunting, along with automated detection and response capabilities.  

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

Video Transcript

In this video, we’re going to demonstrate H0lyGh0st, a ransomware strain that has been seen in the wild since approximately June 2021. Several variants of H0lyGh0st have been developed in that time, with each iteration becoming more functional and increasingly insidious.

In this case, we’re going to execute the latest known variant, from April 2022, which has updated encryption functionality, as well as a method for achieving persistence. For this purpose, we’ve set up a test machine with CylanceOPTICS® in “Audit-Only” mode, to allow this ransomware to run. It is important to note that H0lyGh0st needs to be executed with Administrator privileges to affect its target.

When executed, it opens a command window that tries to connect to “ServerBaseURL,” and if that fails, then switches to "Intranet mode." Right after achieving a successful connection, it displays each file being copied, encrypted, and subsequently renamed. It also creates a scheduled task called “lockertask” to achieve persistence on the victim’s machine. Upon completion of the encryption process, it places the ransom note on the desktop with further instructions. CylanceOPTICS can identify evidence of the initial intranet connections, as well as the attempted remote logins with the credentials placed within the process.

Through our root-cause analysis, we can conduct a deep dive into the specifics for this attack. We can see all steps taken by H0lyGh0st, including the scheduled task created for persistence and “net use” with the credentials in the executable.

By taking a proactive and preventative approach to EDR, CylanceOPTICS can stop this attack before it tries to encrypt the system or propagate across the network.

Here we have a system with CylanceOPTICS, but this time with a prevention policy in place. If we try to execute H0lyGh0st with administrator privileges, it is stopped pre-encryption. If we provide a prevention-first approach to endpoint protection, then CylancePROTECT® can prevent H0lyGh0st in pre-execution, before the ransomware can act on its first instruction. Let’s copy the same set of files, all the different versions we have seen from this ransomware, and let’s try to execute them. CylancePROTECT stops this threat, and its variants, at the earliest possible stage in its attack chain.

Prevention is possible, with BlackBerry.

Related Reading

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back